Tuesday, September 05, 2017

Game of Drones

On June 13, a US drone attack in Hangu district of Khyber Pakhtunkhwa province in Pakistan killed Abu Bakar Haqqani of the Afghan terrorist Haqqani Network. Since Abu Bakar Haqqani was killed inside the area administered by Pakistan and not in the tribal belt, US Secretary of State Rex Tillerson has threatened an inter-agency review of his country’s funding and support to Pakistan.
Meanwhile, Pakistan army chief, General Qamar Javed Bajwa, has objected to the drone strikes inside Pakistani territory without a warning. Pakistan denies the presence of the Haqqanis after all kinds of terrorists were supposed to have been driven off the country — including in the tribal areas bordering Afghanistan — as a result of the Operation Zarb-e-Azb.
But why was Abu Bakar Haqqani found in Hangu confirming the US charge that Pakistan was sheltering the Haqqani group? The Haqqani Network was based in North Waziristan agency and should have had nothing to do in a Pakistan-administered district. But the truth is that the Haqqanis have been found in all parts of Pakistan since the founder of the network, Jalaluddin Haqqani, got his early training in the Quran at Madrasa Haqqania near Peshawar.
In February 2016, US drones killed five Haqqani Network terrorists in Hangu taking time off from their depredations in Khost, Paktika and Logar provinces in Afghanistan in addition to the capital, Kabul. In 2013, the drones killed a commander of the network again in Hangu after Pakistan had arrested and released him in 2010 along with other senior members of the infamous Quetta Shura, which is composed of members of the Afghan Taliban. Hangu is developing as a rallying point of the network which is considered the real mover and shaker of the Afghan Taliban — an outfit that today controls more than half of the Afghan provinces.
Meena Menon — who was reporting from Islamabad for The Hindu in 2013-14 before she was expelled and is the author of the excellent book released this year, Reporting Pakistan — notes that after Nasiruddin Haqqani was killed in 2013 in Islamabad, his funeral was conducted in Miramshah in North Waziristan by the Taliban. Menon writes, “Nasiruddin Haqqani, said to be in his thirties, was the eldest son of Jalaluddin. He was reportedly arrested in 2010 at the behest of the US and was kept in a safe house for interrogation.
The Pakistani Taliban or TTP had alleged that security agencies were behind the killing. He was on the UN Security Council (UNSC) sanctions list of individuals whose assets were frozen and against whom there was a travel ban and an arms embargo as well. He was also a fundraiser for the outfit and travelled often to the Middle East.”
Pakistan’s attitude towards the network has been greatly informed by its relations with the United Arab Emirates (UAE) which, together with Saudi Arabia, accounts for the bulk of the foreign remittances from expat Pakistani workers. The Haqqani Network too derives strong financial support from the UAE. The network’s founder’s family has associations with that country, which is why the Taliban in Afghanistan issues strong denials every time the outfit is accused of attacking UAE diplomats in Kabul.
One can understand the Rs 300 million gifted by Imran Khan to the madrasa near Peshawar where Jalaludin Haqqani studied in his youth in light of the fact that many agencies of the tribal area adjacent to the Khyber-Pakhtunkhwa province don’t starve because of the UAE remittances. Also, Jalaluddin Haqqani was reared and nurtured by not only Pakistan but also the Americans and their Arab allies during the anti-Soviet Afghan war.
Jalaluddin Haqqani formed the network in 1995. In 1996, he was appointed minister of tribal affairs, a position he held till 2001 when the US carpet-bombed the Taliban government out of Kabul.
Pakistan fought the Soviets in Afghanistan and became part of the international resistance that Washington and Jeddah generously financed. Not only were the Taliban headed by the Haqqanis, accepted as friends in need but their Arab ally, the al Qaeda establishment, was embraced — its founder Abdullah Yusuf Azzam built International Islamic University of Islamabad with Arab money. The Western world led by the US encouraged the mingling between the Pakistan state and the jihadis in Afghanistan, something very few take note when they quote the US Chairman of the Joint Chiefs of Staff Admiral Mike Mullen’s statement to the Senate Armed Services Committee in 2011. “The Haqqani Network acts as a veritable arm of Pakistan’s Inter-Services Intelligence agency,” Mullen had said.
Pakistan, ever politically unstable, is being squeezed on the eastern border by India. On the western border, which the Pakhtun of both states don’t recognise, it is being pressured by the renegade Pakistani Taliban and the Kabul government, which funds them with financial assistance from India — all of it getting mixed up with the insurgents in Balochistan and their killers in Sindh.
The US today threatens to punish Pakistan if it doesn’t act against the Haqqanis but if Pakistan does its bidding it will lose its last leverage with Afghanistan which in turn means it will be out of any peace process with its western neighbour. Regionally, India is getting together with the US to counter the China Pakistan Economic Corridor (CPEC) — Pakistan’s last chance to get out of decades of instability and economic inertia.

Saturday, May 13, 2017

Internet of things

1. Introduction

During the history of mankind, cities have been trying to offer their residents a better quality of life, a safe and comfortable environment and economic prosperity. Nowadays, citizens expect from their cities fluid transportation, clean air, responsible consumption of utilities, constant interaction with city administrators, transparent governance, good health and educational systems and significant cultural facilities. In order to answer these requests, a city needs to become smarter and smarter, continuously improving its status quo. For the purpose of this chapter, we define a smart city as a future, better state of an existing city, where the use and exploitation of both tangible (e.g. transport infrastructures, energy distribution networks and natural resources) and intangible assets (e.g. human capital, intellectual capital of companies and organizational capital in public administration bodies) are optimized. Summarizing the opinions expressed in, the relevant goals for a smart city are:
  • Smart mobility (traffic management, bike/car/van sharing, multimodal transport, road conditioning monitoring, parking system, route planning, electric car gearing services);
  • Smart grid/energy (power generation/distribution/storage, energy management, smart metering, street lightening optimization);
  • Public safety (video/radar/satellite surveillance, environmental and territorial monitoring, children protection—e.g. safer home-school journeys for children, emergency solutions, waste management, smart air quality, weather data for snow cleaning);
  • Smart governance (transparent decisional process, a greater involvement of citizens in legislative initiatives, public-private partnerships, online taxing systems);
  • Smart economy (high-level jobs, competitiveness, entrepreneurial spirit, innovation and research in the field) and
  • Smart life (cultural and educational facilities, meaningful events, entertainment and guided tours, access to cultural sights and historical monuments, good conditions for health).
An essential element of a smart city, often neglected when focus is placed on infrastructure, is the self-decisive, independent and aware citizen. Humans are seen as sensors, with a direct and active public participation, strongly facilitated by information and communication technologies (ICT). The relationship between the city and the smart citizen should be characterized by urban openness, defined as systems' capacity to enable user-driven innovation in existing and new services, participatory service design and open data platform availability. Also, service innovation, partnership formation and urban proactiveness (the extent to which smart city services are moving towards sustainable energy use as well as ICT-enabled services) are mandatory.
In recent years, the fulfilment of these goals depends more and more on technology, especially ICT. In consequence, one of the essential nuances of the term “smart city” is given by the ICT incorporation in urban infrastructure, with solutions as city operating systems, centralized control rooms, urban dashboards, intelligent transport systems, integrated travel ticketing, bike share schemes, real-time passenger information displays, logistics management systems, smart energy grids, controllable lighting, smart meters, sensor networks, building management systems, various smartphone apps and sharing economy platforms.
Internet of Things (IoT) has a central place among these technologies. In IoT, the physical things connect to other physical and virtual things, using wireless communication and offering contextual services. IoT is based on a global infrastructure network which connects uniquely identified objects, by exploiting the data captured by the sensors and actuators, and the equipment used for communication and localization. The radio-frequency identification (RFID) lies at the basis of this development, but the IoT has developed by incorporating technologies such as sensors, printed electronic or codes, PLC, EnOcean, GPS, mobile (2G/GSM, 3G, 4G/LTE, GPRS) and short-range (NFC, Bluetooth, ZigBee, Wi-Fi, ANT, Z-Wave, IEEE 802.15.4) communications. The collaboration of the cyber-real artefacts is changing the city infrastructure, and their autonomous and nomad characteristics might lead to serious security problems that must be understood and solved in good time. A key challenge for IoT towards smart city applications is ensuring their reliability, incorporating the issues of ethics, security (confidentiality/integrity/availability), robustness and flexibility to rapidly changing environmental conditions. Without guarantees that the interconnected objects are accurately sensing the environment and are exchanging the data and information in a secure way, users are reluctant to adopt this new technology. The people’s trustful acceptance of IoT components in a smart city is closely related to the notions of risk, security and ensuring private life which must be properly addressed by urban management.

2. Security challenges in Internet of Things

The aspects related to ethics and security in ICT have been a subject of study for the academic world and the wide public since the appearance of computers and the prefiguration of artificial intelligence. Thus, it is said that ICTs are of an emergent and creative nature and, explicitly or implicitly, they overtake some of our tasks and delicately induce certain moods or even force behaviour patterns, following their own development and functioning logic, imperatively heading the humankind to its maximum efficiency. Society can only answer to this by adapting and accepting the situation. Over the time, security in ICT has been treated from a historical perspective, at the organizational level, from a hacker’s point of view or from a technical one. Currently, researchers approach the so-called green technologies, calm technologies, cloud computing, the impact of social media on people and communities and especially IoT, which raises a great number of security questions.
Difficulties in approaching IoT security are brought at least by the following elements:

  • While city security is addressed primarily by city managers, IoT is rather understood by engineers. These two sides must dialogue and transfer knowledge both ways, a process which is not necessarily easy. If the authors of norms, standards, programs and security policies lag behind technical experts, the digital divide may deepen a lot and collaboration may prove difficult.
  • One of the information security truisms says that the attackers are always one step ahead the “good guys”. But while current, “classical” Internet attacks may cause damages to the information confidentiality, integrity and accessibility, similar actions in IoT can lead even to the loss of human lives. There have already been demonstrations of hackers’ interferences in the on-board computers of cars/planes and attacks in surgery rooms or on patients with implanted insulin pumps or other medical devices. As the list of vulnerable systems includes electric heating systems, food distribution networks, hospitals, traffic lights systems, transport networks, which are strongly interconnected in a smart city, the attack scenarios which might be envisaged starting from here are truly scaring. In consequence, the importance of security measures increases greatly in the IoT.
  • Besides attackers, the autonomous behaviour of things that invisible communicate to each other can affect our lives, in ways still difficult to predict. Anticipating dangers in IoT through a serious vulnerability scan becomes a necessity, but the process is difficult and can be done only with a sustained research and practice effort.
  • IoT landscape is fragmented, because its applications are based on different architectures, standards and software platforms of significant complexity. Each smart city develops proprietary technological solutions, in response to its own problems and opportunities. In many situations the connected things, technologies and their firmware are protected by trade secrets. Legal framework is not yet appropriate, and legal responsibilities are not clear enough. Existing solutions are not interconnected and standardized, creating so-called technological silos; also, a lot of actors are involved, and various regions of the systems are controlled by different organizations.
Even this non-exhaustive presentation of the IoT-related security issues is an alarm sign that, in a smart city, every inhabitant should be assured he/she is protected by efficient technical, economic, legal and social actions. In what follows, the above mentioned problems are going to be approached in a framework in which smart cities are seen as a synergetic sum of smart devices that generate huge amounts of data while working for the smart citizens’ benefit.

2.1. SECURITY VULNERABILITIES IN INTERNET OF THINGS

The most important vulnerabilities in IoT are determined by the special nature of interconnected objects and the great variety and sensitiveness of the data collected.

2.1.1. NOT-SO-SMART THINGS

The objects interconnected in IoT and used in smart cities are characterized by ubiquity, miniaturization, autonomy, unpredictable behaviour and difficult identification. Their heterogeneity is impressive, ranging from tiny/invisible objects to very sophisticated embedded systems. In the same city, we can easily identify sensors used to monitor pollution and air quality, traffic and the greater road infrastructure, public and private safety, energy and water consumption, waste management, etc.; wearable sensors, placed into clothing or under the skin; usual things such as keys, watches, coffee filters, fridges, domestic heating controllers, books, doors, etc. and devices with a lot of computing power such as smartphones, tablets, printers, TVs, medical devices, SCADA (supervisory control and data acquisition) systems, cars, etc. Their number increases on a daily basis, and so do the connections between them. All these things can be very smart in some situations and quite stupid in others: for example, smart in the sense that they collect, transmit, process and respond to various data, but stupid when there is a need to protect them. Software, hardware and network constraints that restrict the inclusion of adequate security mechanisms (e.g. cryptography) directly in smart objects are identified. For this reason, security measures are usually left aside, and the exposure to attacks is high. A Hewlett-Packard study shows that 80% of things in IoT fail to require passwords of a sufficient complexity and length, 70% enable an attacker to identify valid user accounts through account enumeration, 70% use unencrypted network services and 60% raise security concerns with their user interfaces.

2.1.2. DELUGES OF SENSITIVE DATA AND INFORMATION

Data collected by smart things are at the heart of smart cities. The problem is that they are sensitive data, often gathered without citizens’ explicit consent. For example, messages, medical and academic records, personal pictures, appointments, bank account information, contacts and others can be used by the smart cities’ infrastructure, with more or less security measures put in place. Safely combining IoT data from different sources is a serious issue in a smart city, since there is no guaranteed trusted relationship between the parties involved. As regards the property right on data and information, the difficulties appear from the correct identification of the authors—for example, an answer to the question ”Who is the owner of data retrieved by sensors connected in IoT?” is hard to imagine at this point. When the information is personal or financial, things get more serious. The IoT omnipresence will make the boundaries between the public and private space invisible, and people will not know where their information security ends up. The Big Brother type surveillance, namely monitoring the individuals without them being aware of it, will be possible.
User privacy is strongly affected by the fact that the objects are equipped with sensors which will allow them to “see”, ”hear” or even ”smell”. The data registered by the sensors are sent in great quantities and in different ways through networks, and this can prejudice the individual’s private life. According to [19], today’s average smart mobile devices and applications are capable of recording user mileage, blood pressure, pulse and other intimate medical data that can be stored or sent to points of interest without the explicit user consent. These facts combined with the estimate that in 2020 the number of interconnected devices from IoT will exceed 25 billion can have devastating consequences. By means of RFID, GPS and NFC technologies, the geographic position of where a person is and his/her movements from one place to another can be easily found without his/her knowledge.
At a supra-level, smart spaces want to know everything about their inhabitants. As presented in various technologies capture personally identifiable information and household level data about citizens (their characteristics, their location and movements and their activities), link these data together to produce new derived data, and use them to create profiles of people and places and to make decisions about them. For example, a smart building is sensitive in terms of environmental condition (temperature, humidity, smoke, CO2, extreme light, air pollution, external presences) and is also able to determine a very accurate user profile based on his/her habits. Vehicles are active members of cities; they interact with each other, with drivers/passengers and with pedestrians. As shown they have embedded computers, GPS receivers, short-range wireless network interfaces and potentially access to in-car sensors and the Internet. The smart city infrastructure can read data about vehicles using radars, Bluetooth detectors and license plate cameras. Speed, flow and travel times are known this way and they can be associated with the driver’s identity. Tracking can reveal sensitive locations, such as home or work locations, along with the time and duration of each visit, effectively allowing one to infer the detailed behavioural profiles of drivers, information about safety-critical events, speed, destination, home and workplace addresses, time spent in a particular location and so on.

2.2. SECURITY THREATS IN INTERNET-OF-THINGS

Security threats can be divided, according to their nature, into three major categories: natural factors, based on hazard; threats caused by incidents that appeared in the system (errors); threats on systems caused by human-intended action (attacks).

2.2.1. NATURAL FACTORS

The natural causes based on hazard, that can affect the IoT implementations in a smart city, can be divided into special environment conditions and natural calamities or disasters. The first category includes extremely high or low temperatures, excessive humidity or an excessively dusty environment which, in time, can determine IoT devices to break down. In the second case, the smart city infrastructure can be affected by fires, floods, strong winds, storms or earthquakes.

2.2.2. INCIDENTS/ERRORS

One of the most frequent human errors that can emerge when using IoT devices is the improper configuration, ignoring the activation of the login function or of other security mechanisms. The devices are not configured in an adequate manner, implicit factory settings are used and this is especially dangerous when passwords are involved. Proper authentication settings are not put in place, terms and conditions are not read/understood and there is no knowledge about the data collected by applications and the way of using them by third parties. Also, people give the same treatment to all the data stored in the device—without taking into account the fact that certain data, when loaded onto IoT devices, can require extra security measures. Unaware citizens are easily fooled through social engineering, spam emails, data streaming and other malicious methods. More severe are the errors that appear in the configuration of networks. The causes of errors are the “classic” ones—insufficient qualification/thoughtlessness, people’s involvement in problems that are out of their competencies (either due to curiosity, or from an exaggerated reliability in their own power to solve certain things), ignorance (we shouldn’t expect users to use a system correctly if they haven’t been trained to do so) and lack of interest in performing certain actions.
The problems related to the software are much more numerous in the IoT environment as compared to the classical environment, as a result of the juvenile character of IoT applications. Producers have difficulties in developing software which functions properly on all customized models. Even more challenging is the problem of portability for those who develop software for the whole range of devices found on the market. The significant software complexity involved by IoT, the requirement that each object/device must have a unique identity and the large code base cause difficult testing and validation procedures. In a more specific manner, shows that encryption is not used to fetch updates, update files are not properly encrypted, updates are not verified before upload and firmware usually contains sensitive information.
For various reasons, the services offered by IoT providers do not function in normal terms all the time and communication line breakdowns/lack of signal/connexion errors occurs. A malfunctioning at the level of a network, either from a provider or from within an organization, can result in the blocking of the infrastructure in a certain area of the city. Wireless networks are more vulnerable than the wired ones, due to interferences, frequent disconnections, broadcast transmission of data, low capacity and great mobility of devices. In consequence, the wireless channels are more susceptible to errors and this may lead to the degradation of security services, easier data interception and difficult use of advanced encrypting schemes. The physical security of objects is not guaranteed and their identification and authentication are problematic, especially in the public networks; the control of the objects may be lost and cascade failures may appear, caused by the interconnectivity of a large number of devices, difficult to be protected simultaneously.

2.2.3. ATTACKS

In a smart city, the attack surface is an extended one. Usual problems refer to device deliberate damage/theft, attacks on devices/components intended for recycling, malware and phishing attacks, network spoofing attacks or social engineering (e.g. apps repackaging—a malware writer takes a legitimate application, modifies it to include malicious code, then sets as available for download—or attacks using a newer version of software—creator of the malicious software sets a newer version of the app, infected with malware to the smart device user). But there are also numerous novel problems that make the attack scenarios inexhaustible.
First of all, we notice a large and increasing number of sensor-based attacks. To start from our pockets, we must admit that the inventory of sensors in a smartphone is intimidating: GPS chips, microphones, cameras, accelerometers, gyroscopes, the proximity sensors, magnetometers, ambient light sensors, fingerprint scanners, barometers, thermometers, pedometers, heart rate monitors, sensors capable to detect harmful radiation, back illuminated sensor, RGB light sensors, hall sensors. Such sensors detect location of the mobile phone, in this way helping users to navigate in cities by maps/pictures, measure the position, tilt, shock, vibration and acceleration (the rate in change of velocity), rotations/twists, detect the presence of nearby objects without any physical contact, capture how bright the ambient light is, measure atmospheric pressure, deliver altitude data, detect the minute pulsations of the blood vessels into one’s fingers and calculate one’s pulse. They can capture location, movements, time stamps, even private conversations and background noises. As a result, a smartphone can be used to keep a targeted individual under surveillance. This, combined with the possibility of installing third-party software and the fact that a smartphone is closely associated with an individual, makes it a useful spying tool.
From a different point of view, the use of these sensors by different applications, the quantity and the purpose of collected data are not fully understood and controlled by their owners. For example, as shown in , video and pictures can reveal the social circle and behaviour of a citizen in a completely unexpected manner; smartphones are more and more targeted by malware which accesses the microphone, cameras and other sensors. The book mentions Soundcomber, a proof-of-concept Trojan horse application that records the sounds made when digits are pressed, identifies them and tries to reveal typed PINs or passwords.
When users placed their smartphone next to the keyboard, the deviations of accelerometer were measured. In this way, entire sequences of entered text on a smartphone touch screen keyboard were intercepted. In various similar successful examples presented to the world: using the motion sensors (accelerometers and gyroscopes), keystrokes (four-digit PINs and swiping patterns) were inferred from touch screens of smartphones and tablets with various operating systems. Also it is showed that the gyroscope can be used to eavesdrop on speech in the vicinity of the phone.
From another range of IoT devices, thermostats communicate their location (including the postcode), temperature data, humidity and ambient light data, the time and duration of activation—these data can be used to determine domestic habits of a citizen; medical bracelets store the heartbeat and sleeping patterns, collecting biometric and medical data that reveal individuals’ physiological state. It is obvious that if these valuable data are not well treated, significant privacy problems may occur.
Various new attacks are also permitted by short-range communication technology. ZigBee is a global standard and protocol developed as a light wireless communication for helping the smart objects to address one to each other in a common and easy way. With low costs and good efficiency, ZigBee technologies are used in many scopes such as home automation, industrial control or medical data collection. ZigBee-enabled systems are vulnerable to security threats, such as traffic sniffing (eavesdropping), packet decoding and data manipulation/injection. Moving on to Bluetooth, some blue-prefix attacks are bluejacking (spamming nearby object users with unsolicited messages), bluesnarfing (stealing the contact information found on vulnerable devices) and bluebugging (accessing smart objects’ commands without notifying or alerting their user). Also, anyone with a Bluetooth-enabled device and software for discovering passwords via multiple variants (brute force) could connect to road sensor, etc. Regarding Near Field Communication, possible security attacks include eavesdropping, data corruption or modification, interception attacks and physical thefts. At a 2012 BlackHat conference, a researcher presented his findings on how he hacked smart devices to take advantage of a variety of exploits.

2.3. LIVING IN A SMART CITYSOME RISKY SCENARIOS

If we take into consideration the smart cities’ dimension, we can imagine a multitude of scenarios as effects of the previously mentioned vulnerabilities and threats.
According to Bettina Tratz-Ryan, research vice president at Gartner, “smart commercial buildings will be the highest user of IoT until 2017, after which smart homes will take the lead with just over 1 billion connected things in 2018” [30]. Smart buildings increasingly use technology to control aspects such as heating, lighting and physical access control—all of which are potential vectors for attackers to target. A building automation system (BAS) controls sensors and thermostats. Several areas of concern were found in the BAS architecture that could allow hackers to take control, not only of the individual building system but also of the central server, which could then be a springboard to attack other buildings. After this proof-of-concept, IBM X-Force ethical hacking team leader Paul Ionescu said that the exercise proved that very little attention was being paid to IoT in smart buildings as these devices fell outside the scope of traditional ICTs
In an attempt to explore security issues in smart city transport infrastructure and give recommendations on how to address them, a Kaspersky Lab Global Research & Analysis Team (GReAT) expert has conducted field research into the specific type of road sensors that gather information about city traffic flow. Team demonstrated that information gathered by these devices, delivered and analysed in real time by the special city authorities, can be intercepted and misused, in scenarios as demolishing expensive equipment and sabotaging the work of the city authority’s services. Some attacks which enable the hackers to stop the engine during the travel or opening the doors of the car into the parking lot are presented. From a different point of view, it showed that, in public transportation, screen reflected in sunglasses were filmed and, with a special software, password entered by users were discovered.
Another example demonstrates that the mobile infrastructure used by the police forces in a smart city is vulnerable. With low costs and large-available equipment (including a GirlTech IMME toy instant messenger of 15$), denial-of-service and interception attacks were proved as possible. Captured clear text data included identifying features of targets and undercover agents, plans for forthcoming operations, wide range of crimes, etc.
Denial-of-service attacks can be trivially launched by malicious entities against a wireless-based communication infrastructure. In the context of a smart grid, such attacks have potential to disrupt smart grid functions such as smart metering, demand response and outage management, thus impacting its overall resiliency.
In the health area, presents a science-fiction scenario, in which Brain-computer interfaces (BCI)-based games could provide their users stimuli that generate subconscious thoughts (e.g. part of a PIN number, passwords, financial data). These thoughts are captured by the BCI device and sent to the attacker, who analyses them, searching for sensitive information.
Attacks in these zones can provoke compromising entire systems, and an infection can be easily transmitted between systems. This, in extremis, can determine an infection of the city itself, destroying even the physical infrastructure and threatening lives. This scenario seems to be a science-fiction one, but it’s important to remember that Stuxnet, an “unprecedentedly masterful and malicious piece of code”, has been sold on the black market since 2013. The experts in ICT security say it could be used to attack any physical target which is related to computers, and the list of vulnerable systems is almost endless—electric heating systems, food distribution networks, hospitals, traffic lights systems, transport networks, etc. Another malware, such as Linux.Darlloz worm, infects a wide range of home routers, set-top boxes, security cameras and other consumer devices that are increasingly equipped with an Internet connection. In these conditions, the terrorist cyber-strikes against the utility and industrial infrastructure can no longer be dismissed as a spy movie scenario. In an analysis on industrial control systems (SIEMENS S7, MODBUS, DNP3, BACNET) security made at Romania’s level, [35] showed that most vulnerabilities were found in GSM towers, utilities providers, furnaces and data centres. Intrusions in SCADA systems can lead to disruptions in the exchange of data between control centres and end-users. As a result, certain services provided to citizens (access to public health services in critical moments, the supply of electricity in some areas) will be compromised; certain areas of the city can be blocked by stopping traffic lights, etc. Intruders can also install malware systems in data centres/user devices to obtain sensitive information about citizens and to use them for criminal purposes.

3. IoT-related security measures for a safer smart city

In an IoT-based smart city architecture, development and progress are not possible without trust. Security of each device, sensor and solution is not optional; it definitely must be taken into consideration from the very beginning. On the above presented quicksands, the need to rethink the “classical” security measures appears as mandatory. Also, specific novel measures are needed from various actors.

3.1. LEGAL/GOVERNMENTAL ACTIONS

Through vast regulations and proper financing, European Union (EU) made an impressive start in the smart cities’ security field. EU leaders affirm that security should play an important role in any smart city development strategy, taking into consideration those web-based attacks in IoT increased by 38% in 2015 [36]. Alliance for Internet of Things Innovation (AIOTI), an organization founded by the European Commission and various IoT key players in 2015, strongly recommends the principles of “privacy by design” (inclusion of proper security measures at the earliest stage in technological design) and “privacy by default” (no un-necessary data are collected and used) [37]. Under this umbrella, partners with different backgrounds—local authorities, telecom operators, universities, companies, small and medium enterprises—bring together their complementary legal, academic, societal, technical and business expertise and implement powerful projects. Some of the (intended) results of selected projects are presented in Figure 1.
Also, most European government affirm a strong interest in securing IoT, which is, in their opinion, an important factor for innovation and growth.

3.2. CITY MANAGERS

In a smart city, programs, policies, procedures, safety standards, best practices, security incidents and event management systems need to be developed and put in place. This is the attribution of the city administrator; cooperation with private sector is also mandatory. Proper audit trail mechanisms are needed in order to ensure that no limits are crossed by service providers. Because the smart cities grow, the infrastructure becomes more interconnected and risks are multiplying. A coherent and stable digital architecture must be maintained. By identifying vulnerable systems, assessing the type and magnitude of probable risks and instituting remedial measures, these bodies can fight cyber-physical-attacks and create risk-resilient smart services, maintaining the trust of their inhabitants that systems are safe and secure.
media/fig1.png

FIGURE 1.

Smart city–related security results in EU-funded projects.
ICT departments of the public administration have to educate the citizens in a proper way. They can use social media tools in order to provide increased awareness and control and to empower citizens to easily manage access to IoT devices and information, while allowing IoT-enabled, citizen-centric services to be created through open community APIs. No doubts regarding the collection of data and misunderstandings of legal framework are allowed to occur—inhabitants must be informed directly of any risk related to their privacy and security. Secure exchange of in-transit and at-rest data is required between IoT devices, cities and citizens. The ultimate goal is a more self-aware behaviour of users, e.g. use of two steps of authentication on devices—at minimum, default passwords should be replaced with stronger ones; password encryption, or constant software updates.

3.3. PRODUCERS/SECURITY PROVIDERS/SOFTWARE DEVELOPERS

Producers have to provide secure design and development of hardware—security methods should be built into the IoT equipment and network at the very beginning of the process, and not after its implementation. The cooperation with security providers/researchers is mandatory—they need to adapt the “classical” security methods as encryption, identity management techniques, device authentication mechanisms, digital certificates, digital signatures and watermarking to the new environment, and to make them available for all entities interested in a proper data protection, also they can help producers to find and patch all the vulnerabilities before it’s too late.
At the device level, information about the default names, MAC and IP addresses, ports, technological processes used in production phase, even the producer/vendor’s name should be kept confidential; if the attacker has this information, he can easily find online tools for hacking the device and can obtain control on management systems of smart infrastructure. Better user configuration capabilities are necessary, as the number and the complexity of systems make it necessary to provide mechanisms allowing the users to configure the systems themselves. Feedback should be required from the users in a coherent way; consumers’ opinion must be taken into consideration when devices/networks are redesigned.
In software development, testing should receive proper attention—good security scanning before launching the code is a common sense request. Also, better controls on who has access to software are needed, preventing leakage of information about passwords. Application developers need to specify in a very clear way the measures they have taken before user’s private and confidential data are accessed, and the anonymizing and encryption procedures used when data are in transit.

4. Conclusions

In a smart city, IoT interferes strongly with inhabitants’ lives. IoT, which is no more in its infancy, presents various vulnerabilities and threats, caused by technological advances and proliferated through lack of users’ awareness. They are augmented by the extended use of new technologies as RFID, NFC, ZigBee, sensors, 3G and 4G that bring along the adjustment of the traditional information security threats to this new environment, as well as the emergence of new dangers. The problems treated here are of interest both for each of us, as citizens, and for the city managers, national and international regulators, especially in a world in which the borderline between the physical and virtual life is becoming more and more difficult to draw.
In this context, urban managers have to address carefully the notions of trust, risk, security and privacy. The city authority have to be well informed about all the problems related to smart things, spaces, services and citizen security; also, the solutions offered by the security providers have to be known and chosen with maximum discernment..

WannaCry|WannaDecrypt or NSA-Cybereweapon-Powered Ransomware Worm

A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin.

Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.

WannaCry does not appear to be only be leveraging the ETERNALBLUE modules associated with this attack framework, it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry. In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet.

Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.

Please note this threat is still under active investigation, the situation may change as we learn more or as our adversary responds to our actions. Talos will continue to actively monitor and analyze this situation for new developments and respond accordingly. As a result, new coverage may be developed or existing coverage adapted and/or modified at a later date. For current information, please refer to your Firepower Management Center or Snort.org.

CAMPAIGN DETAILS

We observed an uptick in scanning of our internet facing honeypots starting shortly before 5am EST (9am UTC).


INFRASTRUCTURE ANALYSIS

Cisco Umbrella researchers first observed requests for one of WannaCry's killswitch domains (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) starting at 07:24 UTC, then rising to a peak of just over 1,400 nearly 10 hours later.

The domain composition looks almost human typed, with most characters falling into the top and home rows of a keyboard.

Communication to this domain might be categorized as a kill switch domain due to its role in the overall execution of the malware:

The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits. The domain is registered to a well known sinkhole, effectively causing this sample to terminate its malicious activity. 

The raw registration information re-enforces this as it was registered on 12 May 2017:

MALWARE ANALYSIS

An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated and data is transferred. We believe this network traffic is an exploit payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletin MS17-010. We currently don't have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method.

The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory 'Tor/' into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.

The tor.exe file is executed by @wanadecryptor@.exe. This newly executed process initiates network connections to Tor nodes. This allows WannaCry to attempt to preserve anonymity by proxying their traffic through the Tor network.

Typical of other ransomware variants, the malware also deletes any shadow copies on the victim's machine in order to make recovery more difficult. It achieve this by using WMIC.exe, vssadmin.exe and cmd.exe.

WannaCry uses various methods to attempt to aid its execution by leveraging both attrib.exe to modify the +h flag (hide) and also icacls.exe to allow full access rights for all users, "icacls . /grant Everyone:F /T /C /Q"

The malware has been designed as a modular service. It appears to us that the executable files associated with the ransomware have been written by a different individual than whomever developed the service module. Potentially, this means that the structure of this malware can be used to deliver and run different malicious payloads.

After encryption is complete, the malware displays the following ransomware note. One interesting aspect of this ransomware variant is that the ransom screen is actually an executable and not an image, HTA file, or text file. 
Organisations should be aware that there is no obligation for criminals to supply decryption keys following the payment of a ransom. Talos strongly urges anyone who has been compromised to avoid paying the ransom if possible as paying the ransom directly funds development of these malicious campaigns.

MITIGATION AND PREVENTION

Organizations looking to mitigate the risk of becoming compromised should follow the following recommendations:
  • Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
  • In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.

Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.

In addition to the mitigations listed above, Talos strongly encourages organizations take the following industry-standard recommended best practices to prevent attacks and campaigns like this and similar ones.
  • Ensure your organization is running an actively supported operating system that receives security updates.
  • Have effective patch management that deploys security updates to endpoints and other critical parts of your infrastructure in a timely manner.
  • Run anti-malware software on your system and ensure you regularly receive malware signature updates.
  • Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.

COVERAGE

Snort Rule: 42329-42332, 42340, 41978

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Additional ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS andNGFW have up-to-date signatures to detect malicious network activity by threat actors.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella prevents DNS resolution of the domains associated with malicious activity.

IoCs


File names
  • d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa b.wnry
  • 055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622 c.wnry
  • 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c r.wnry
  • e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b s.wnry
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 taskdl.exe
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d taskse.exe
  • 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6 t.wnry
  • b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 u.wnry

CnC IPs
  • 188[.]166[.]23[.]127:443
  • 193[.]23[.]244[.]244:443
  • 2[.]3[.]69[.]209:9001
  • 146[.]0[.]32[.]144:9001 
  • 50[.]7[.]161[.]218:9001
  • 217.79.179[.]77
  • 128.31.0[.]39
  • 213.61.66[.]116
  • 212.47.232[.]237
  • 81.30.158[.]223
  • 79.172.193[.]32
  • 89.45.235[.]21
  • 38.229.72[.]16
  • 188.138.33[.]220

Observed hash values
  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
  • 428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
  • 5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
  • 62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
  • 72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
  • a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
  • 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
  • a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
  • fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
  • 9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

Appendix

List of filenames encrypted by the ransomware:
.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc, 

Tuesday, August 07, 2012

Top 5 Reasons ITIL Implementations Don't Go "By The Book"


We always hear that even though Organizations study the texts diligently, they often come to the realization that ITIL and most of the other good practices that ITIL requires are just books. They read these books, take classes, earn certifications, and with the faith of a new convert, they seek to achieve IT Operational Excellence.


But during their journey things do not go as expected. Obtaining upper management buy-in is always a challenge, effecting organizational change is hard, and coordinating such a massive undertaking seems overwhelming. Welcome to the real world.

Presented below are my top five real-world challenges to implementing ITIL and ways by which you can overcome these roadblocks.

5. Different parts of the IT organization have vastly different priorities

Once an organization has become excited about implementing IT service improvements, we almost always see tension arise between those with strategic and tactical responsibilities. The strategic thinkers typically want to focus on service catalogs and financial management; while the tactical teams knows that the focus must be placed on day-to-day operations like change control and incident management. If you choose a solely tactical approach, you’ll alienate the strategists. A strictly strategic effort, and your tactical team may see ITIL as just another thing being pushed on them that doesn’t improve their day-to-day operations. Say bye-bye to organizational change.

To drive success, it is vital that good energy be focused on process improvement — not on second guessing other parts of the organization. The best way to do this is to give as many parts of the organization their piece of the pie. Let the tactical team tackle change management improvement and task the strategists with developing some meaningful key performance indicators to feed into other processes.

In other words, be prepared to support multiple improvement activities concurrently so you can foster healthy competition (whose process was implemented them fastest) rather than begrudging acceptance.

4. The job gets in the way
The most common reason our ITIL projects stall is that day-to-day business gets in the way. We see this happen even when there is project support from all levels of IT management. In the “keep it up and running” vs. “operational improvement” clash, the real-world activities of the business always win — much in the same way problem management is not done because incident management always trumps. In this case, of course, the underlying problem with the IT infrastructure is not the technology, but the processes themselves.

This is neither unexpected nor unreasonable; the business needs to run, so releasing the latest business service must take precedence over attempts to improve IT. So, how do you get process improvement started and keep it rolling? Focus early and often on a CSIP – the continuous service improvement program.

A CSIP approach recognizes that few, if any, organizations are going to have the time or resources to conduct a complete, one-shot overhaul of their IT services. The CSIP is a means of establishing and organizing a series of agreed-upon process improvements (both tactical and strategic), including prioritization, timeframes, and resources. The smaller and more focused the items, the better organizations will be able to steal time away from daily tasks and focus on accomplishing IT improvements. We generate the CSIP as the first project deliverable and require it to be reviewed at least monthly.

3. You already own
Your initial focus should be on designing processes that meet your organization’s needs and then implementing the tool to meet the majority of the process requirements.

2. You don’t know your status quo
The first question isn’t “where do you want to go,” it is “where are you now.” Think of it like a road trip. Unless you know things such as your starting location, your goals for the trip, and the trip timeline, it will be difficult to plan an effective itinerary.

The Planning to Implement IT Service Management book has an entire chapter titled Where Are We Now?, yet many skip that important question and try to design new process in a vacuum. There is a general sense of “we know what we do now, we do it every day.” It is important, however, to move beyond a general sense to a more concrete understanding.

Before embarking on a CSIP, take the time to understand important questions such as:
  • What are your drivers (business, technology)?
  • Who are your IT stakeholders, what are their needs, and are their needs presently being met?
  • What will the impact be — on both the IT org and the business at large — if you make no change?
  • What processes are now in place?
  • What skill sets do you have in place?
  • What technology do you have in place?

By taking the time to understand the status quo, you’ll have better insight into the scale and complexity of your improvement program.

1. Organizational change is too hard

Unless you tackle the people component, your CSIP is very likely doomed. Many organizations want to gloss over this very important piece, either because they don’t understand its significance or it is just too overwhelming.

Guess what? Organizational change is hard, and, as is the case with the process and technology pieces of ITIL implementations, it will vary greatly based on your size, structure, and culture. Are there then some common threads that will enable you to get the necessary buy-in to succeed with organizational change? We find the organizations most effective in their efforts to have a multi-pronged approach:

  • Training for your IT staff and IT management. Give yourselves a common vocabulary and a common understanding of IT service management best practices. If you don’t have the time and budget to put everyone through Foundations-level ITIL training, consider bringing in a trainer to conduct half- or full-day seminars about the service delivery and support processes.
  • Simulations for you customers and management (both IT and non-IT). There are number of simulations available that help illustrate the challenges faced by the IT department and the value of process improvement in enhancing service delivery. These simulations typically increase the willingness and commitment of non-IT staff in improving your processes, and show IT participants that improvement is possible.
  • Workshops with stakeholders to facilitate planning efforts. Involve your staff, customers, and other stakeholders in your process development. This will require a degree of time commitment in terms of scheduling the workshops, and it is highly advised to bring in an outside consultant to facilitate the workshop and keep things moving forward.